OT cyber risk is coming to a ship near you

Cyber risk has typically been associated with IT systems but this perception must be changed sooner rather than later. As the sophistication of cyber attacks increases every day, not only must resilient solutions be implemented, but also the scope of what requires protection. 

Why is OT cyber risk increasing? 

Maritime cyber threats are growing as more ships are connected to the internet and their operations become increasingly digitalised. A convergence of IT and OT systems is taking place as OEMs equip their systems with sensors for data collection, creating more entry points for cyber threats. 

Vessel operators are employing an increasing range of tools for data gathering, remote maintenance and lifecycle digital twins, increasing the potential threat vectors for attackers. 

Hackers are increasingly attacking maritime targets, whether for commercial gain or malicious intent. By exploiting IT/OT vulnerabilities, such as targeting obsolete systems using phishing and social engineering techniques, cybercriminals attempt to access ship systems and once in a network can compromise OT systems. 

The consequences can have impacts on the safety of people, the environment and vessel operations. 

What are the risks to OT equipment? 

The risks to OT equipment such as the engine, electrical systems or bridge electronics range from loss of control of front and back of bridge navigation systems and compromise of navigation and other safety data. Loss of navigational control or impact on cargo as well as GPS jamming or spoofing are all real-world issues.

Shipboard OT systems from multiple equipment manufacturers are prime targets for cyber-attacks. Hacking control critical functions of vessel systems such as cargo handling, propulsion and steering, auxiliary power, emissions and pollution control can result in loss of control and ultimately failure of vessel operations. 

How do I protect myself from this risk? 

Vessel owners and operators have several levers to mitigate the risks and protect themselves from cyber threats. As they also are coming under increasing pressure to comply with regulation and certification, in particular the Unified Requirements developed by the International Association of Classification Societies (IACS). 

Like other equipment onboard ship, bridge electronics systems and todays’ modern integrated bridge systems, must be compliant with IACS Unified Requirements (UR) E26 and E27. 

While UR E26 requires shipyards to demonstrate that the ships they build are cyber resilient by meeting a minimum set of requirements for cyber security, UR E27 focuses on the cyber resilience of individual onboard systems and equipment. 

While the focus has been on compliance in shipping, operators in the energy market should note that E26 also applies to offshore platforms.

How do I know if my OT equipment is safe and compliant? 

The IACS URs are currently applicable only to newbuilding vessels, but IACS and the IMO expect that the same standards will soon apply to existing vessels regulated under SOLAS. 

For newbuildings, the vessel stakeholders will need to work with their technology partner and Classification Society to demonstrate that the ship has been constructed and is operated in compliance with the UR requirements when audited by a Classification Society. 

Conducting regular audits, penetration testing or third-party assessments are all levers that enable operators to maintain a secure and compliant posture for OT equipment. 

Is compliance enough to be secure? 

Compliance with the URs or other regulation does not by itself protect the asset or fleet. Compliance is a baseline, but a proactive and continuous approach to cyber security is necessary. Owners and operators need to work with technology partners to ensure that they have the appropriate level of cyber security. 

This includes, among other items, protection at the network, device and personnel level, and can be extended to use of proactive detection services that assess the effectiveness of installed protection measures.

Solutions are available to detect cyber threats against OT equipment, combined with network segregation between IT/OT networks and safety and control on multiple levels. 

In conclusion, as OT cyber risks continue to grow in the maritime industry, it is essential to adopt comprehensive security measures and operate in compliance with the IACS URs E26 and E27. 

By understanding the risks, implementing robust protections, and maintaining vigilance, owners and operators can help safeguard their vessel operations against cyber threats and improve safety for their crews and the environment. 

Want to ensure the OT systems onboard your ships are compliant and protected? Contact your local Marlink office today to discuss how we can help.